Skip to content

[Tooling] Secure Claude workflows#4037

Open
iangmaia wants to merge 5 commits into
trunkfrom
iangmaia/secure-claude-workflows
Open

[Tooling] Secure Claude workflows#4037
iangmaia wants to merge 5 commits into
trunkfrom
iangmaia/secure-claude-workflows

Conversation

@iangmaia

@iangmaia iangmaia commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Allow @claude review comments only from trusted commenters and skip Claude workflows on fork/external PRs before checkout or Claude execution.
  • Pin mutable action references and preserve the Claude action's required OIDC permission for GitHub App token exchange.
  • Keep review feedback inline-only where the workflow does not grant issue-comment permissions.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the Claude GitHub Actions workflows by preventing execution on fork/external PRs prior to checkout/action execution, pinning the checkout action to an immutable commit SHA, and constraining PR review feedback to inline-only where top-level commenting isn’t permitted.

Changes:

  • Add a “Check PR origin” gate that queries the PR head repository and skips execution for external/fork PRs.
  • Pin actions/checkout to a specific commit SHA (v7.0.0) and apply conditional execution to checkout/Claude steps.
  • Remove top-level PR comment capability from the PR review workflow prompt/tool allowlist to match granted permissions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/claude.yml Adds a pre-check to block Claude runs on external PRs and pins checkout to an immutable SHA.
.github/workflows/claude-pr-review.yml Adds the same pre-check/pinned checkout and restricts the Claude tooling/prompt to inline-only feedback.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@iangmaia iangmaia changed the title Secure Claude workflows [Tooling] Secure Claude workflows Jul 3, 2026
@iangmaia iangmaia force-pushed the iangmaia/secure-claude-workflows branch from d597644 to feafcd9 Compare July 3, 2026 14:20
@iangmaia iangmaia marked this pull request as ready for review July 3, 2026 14:22
@iangmaia iangmaia requested a review from a team as a code owner July 3, 2026 14:22
@iangmaia iangmaia requested a review from bcotrim July 3, 2026 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants